Knowledge base

Building Android from source

If you want to apply more deeply implemented features into android you need to implement them to the source code and then sucesfully build that code. If you need a feature which is implemented in another ROM in majority of cases the best solution is cherry-picking.

Building for specific roms & devices links

Android Security

Android have many security features. Some of them are implemented better, some of them not (f.e. ALSR ). Our goal in brmlab is to improve usage of those features. Security features implemented in Android are:

iptables - implemented probably from version 1 till current, but without GUI. I use AFWall+ but maybe something better is out there.

ALSR - introduced in 4.0, PIE support from 4.1, non-PIE support dropped from 5.0

application sandbox - sometimes could be escaped due to poorly written apps which store sensitive data in shared memory - check for example “android class hijacking” in exploit list below.

Privacy Guard/App Ops - “Sandboxing customization.” Introduced in 4.3, not supported in new AOSP, CM supports some features but they dont care about privacy (permissions like “network acess” and similar is missing). MIUI Permission Manager looks very good, but guys from MIUI have some problems with understanding meaning of words “open source.” Maybe XPrivacy will do the trick. further research needed.

Android devices attack vectors

Attacks through radio (baseband, modem) - even with very well implemented safety features on Android OS you need to “take care” of another processor, which is in every mobile phone.

Security - Radio (baseband) related

RADIO (BASEBAND, MODEM) is another processor inside every mobile phone which is resposible for communication between BTS and your OS. It is closed source and not well documented playground (it is not easy to get nice and easily understandable articles related to this problematic). Source codes are from 80's and 90's with security mindset from that age.

Android exploits

If you want to improve android security it's good to know the problem from another point of view, so you could easily adopt policy and changes to the code to prevent attack. It is obvious that nobody can predict how exactly 0day exploit looks like, but if you learn how to minimize impact even after sucesfull exploitation, you're one step further to save device.

Exploit list

Here are some of exploits known today to android platform, it serves mainly as link database to get some interesting info on special cases, old one is left in database for educational and historical meanings. For full coverage of known android vulnerabilities use cvedetails or exploit-db instead.

Android class loading hijacking - not exactly a bug, only weaknes which could be used in ODEX handling, usefull for badly writed apps on dalvik machine, androids >5.0 have dalvik, newer one runs or Art so for them its history: symatec official report (if you dont have javascript and similar crap everywhere read here)

GPLv2 Android

From wiki: Replicant is a free and open source operating system based on the Android mobile platform, which aims to replace all proprietary Android components with their free software counterparts. This also makes it a security focused operating system as it closes discovered Android backdoors.

The problem is that it unfortunately cares only about radio implementation into android, but not radio itself.

Unbrick Android tablet

Take out the internal 4GB microSD and wipe it clean: dd if=/dev/zero of=/dev/sdX bs=512KB count=4 No need to do anything further, i.e. create partition or format.

Put the internal 4GB microSD back into the tablet.

Extract the contents of the ZIP. With u-boot-sd.bin from the ZIP, use dd to dump it onto an external microSD. I used a 2GB card for this. dd if=/path_to_bin/u-boot-sd.bin of=/dev/sdX

Copy the entire contents of the ZIP to the largest partition of the external microSD. It was the only automatically mounted partition when I replugged the card into Ubuntu.

I had to do these steps as recommended in the first post: rm -R utscript_sd && cp utscript utscript_sd (I didn't do it initially and after the recovery flash, my tablet couldn't boot w/o the external microSD)

Insert the external microSD into your tablet. Now, both microSDs are inside the tablet.

Press power and “M” button simultaneously. It should boot up and begin recovery. After that is done, you may remove your external microSD and proceed as your wish.

what we've learned: Power On switch functionality is dependent on internal SD content. (even if device seems to be bricked)